CVE-2026-1780 identifies a reflected Cross-Site Scripting (XSS) vulnerability in the [CR]Paid Link Manager plugin for WordPress, developed by silentwind. This vulnerability exists in all versions up to and including 0.5 due to insufficient sanitization and escaping of user-controlled input within the URL path. Specifically, the plugin fails to properly neutralize input before embedding it into web pages, allowing attackers to inject arbitrary JavaScript code. Since the vulnerability is reflected, the malicious script is not stored but immediately reflected back in the HTTP response when a crafted URL is accessed. Exploitation requires no authentication but does require user interaction, such as clicking a malicious link crafted by the attacker. The vulnerability impacts the confidentiality and integrity of the affected web application by enabling attackers to execute scripts in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information, or manipulation of page content. The CVSS 3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, but user interaction needed. The scope is changed (S:C) because the vulnerability can affect components beyond the vulnerable plugin, such as user sessions or other site content. No known exploits have been reported in the wild, and no official patches or updates have been published at the time of this report. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation. Given the widespread use of WordPress and the plugin's functionality related to managing paid links, this vulnerability could be leveraged in targeted phishing or social engineering campaigns.

The primary impact of CVE-2026-1780 is on the confidentiality and integrity of affected WordPress sites using the [CR]Paid Link Manager plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of a victim's browser, which can lead to session hijacking, theft of cookies or credentials, unauthorized actions on behalf of the user, defacement of website content, or redirection to malicious websites. This can damage the reputation of affected organizations, lead to data breaches, and potentially facilitate further attacks such as malware distribution or credential theft. Since the vulnerability is reflected XSS, it requires user interaction, limiting large-scale automated exploitation but still posing a significant risk in targeted attacks or phishing campaigns. The lack of authentication requirements lowers the barrier for attackers. The vulnerability does not affect availability directly but can indirectly cause service disruption if exploited for defacement or malicious redirects. Organizations relying on this plugin for managing paid links may face financial and reputational damage if exploited. Additionally, the scope change indicates that the impact can extend beyond the plugin itself, affecting other site components and user data.

To mitigate CVE-2026-1780, organizations should first check for updates or patches from the plugin vendor and apply them promptly once available. In the absence of official patches, administrators should consider disabling or uninstalling the [CR]Paid Link Manager plugin to eliminate the attack surface. Implementing Web Application Firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the URL path can provide temporary protection. Site owners should enforce Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Input validation and output encoding should be applied rigorously in any custom code interacting with the plugin or handling URL parameters. Educating users and administrators about phishing risks and suspicious links can reduce the likelihood of successful exploitation. Monitoring web server logs for unusual URL patterns or repeated suspicious requests can help detect attempted exploitation. Finally, consider isolating critical administrative interfaces and enforcing multi-factor authentication to limit the damage from compromised sessions.